John Safranek
77c9b36b5a
Merge pull request #4181 from dgarske/sniffer_keycb
...
Sniffer fixes and new sniffer key callback support
2021-07-19 13:26:17 -07:00
Daniel Pouzzner
186ff2b365
make -DNO_ED25519_KEY_{IMPORT,EXPORT} buildable, and fix api.c and suites.c so that -DNO_ED*_KEY_{IMPORT,EXPORT} pass make check.
2021-07-16 23:07:28 -05:00
Daniel Pouzzner
ac92204c15
make -DNO_ED448_KEY_{IMPORT,EXPORT} buildable
2021-07-16 18:21:30 -05:00
David Garske
070ca6c34d
Fixes to properly support sniffer with secure renegotiation.
2021-07-16 14:48:22 -07:00
Daniel Pouzzner
9b43e57ccf
ED: add streaming API to the ED verify routines: wc_ed*_verify_msg_init(), wc_ed*_verify_msg_update(), wc_ed*_verify_msg_final();
...
harmonize the ED448 API with the ED25519 API by making wc_ed448_verify_msg_ex() and wc_ed448_init_ex() public functions;
track devId and heap pointer in ed*_key.{devId,heap}, and pass them through to sha init functions;
add ed*_key.{sha,sha_clean_flag}, and ed*_hash_{reset,update,final} functions, and use them for all ED hashing ops, to support streaming API and for optimally efficient reuse for the preexisting ED calls;
add ed448_hash() akin to ed25519_hash(), and use it in place of wc_Shake256Hash(), for .sha_clean_flag dynamics.
add to wc_ed*_import_private_key() the ability to import the combined key generated by wc_ed*_export_private() without supplying the redundant public key;
add macro asserts near top of ed*.h to assure the required hash functions are available;
fix {NO,HAVE}_ED*_{SIGN,VERIFY};
wolfcrypt/test/test.c: add missing key initializations in ed*_test();
wolfcrypt/test/test.c: fix unaligned access in myDecryptionFunc() detected by -fsanitize=address,undefined.
2021-07-16 13:49:47 -05:00
David Garske
fe77e29ba0
Fix for SNI refactor handling of return codes. Fix for possible use of NULL on client array.
2021-07-16 11:23:20 -07:00
David Garske
3ff21171cb
Fix for secure renegotiation, which was not keeping handshake resources. Added NULL checks for case where handshake resources might be free'd to prevent possible use of NULL. Refactor the SNI client hello processing to not assume TLS header is in prior buffer (not there for decrypted handshake packets).
2021-07-14 10:44:33 -07:00
John Safranek
f82fd01283
Merge pull request #4202 from JacobBarthelmeh/BuildOptions
...
fix for build with wpas and disable tls13
2021-07-14 09:07:08 -07:00
JacobBarthelmeh
18399091ce
Merge pull request #4012 from julek-wolfssl/haproxy
...
HaProxy 2.4-dev18 support
2021-07-14 15:46:04 +07:00
Jacob Barthelmeh
2592a04d8a
fix for build with wpas and disable tls13
2021-07-13 15:49:40 +07:00
John Safranek
52b8c7b1fa
Merge pull request #4192 from haydenroche5/ocsp_http_header
...
Improve wolfIO_HttpProcessResponse HTTP header checking logic.
2021-07-12 14:13:07 -07:00
David Garske
4f055653c7
Restore TLS v1.3 hello_retry behavior with session id. Fix for SNI with default (no name) putting newline due to fgets.
2021-07-08 13:50:08 -07:00
David Garske
4cb076f22b
Cleanup to remove duplicate stat sslResumptionValid. Add print of sslResumptionInserts.
2021-07-08 09:49:13 -07:00
David Garske
ddbe0e6dab
Fix for sniffer stats on resume miss. The logic for hello_retry_request will no longer try and do resume, so restore BAD_SESSION_RESUME_STR error.
2021-07-08 09:31:59 -07:00
John Safranek
b9dac74086
Merge pull request #4193 from JacobBarthelmeh/StaticAnalysisTests
...
Static analysis tests
2021-07-07 14:23:58 -07:00
JacobBarthelmeh
86e5287a14
Merge pull request #4032 from TakayukiMatsuo/tk11968
...
Make wolfSSL_CTX_set_timeout reflect to Session-ticket-lifetime-hint
2021-07-07 22:26:06 +07:00
JacobBarthelmeh
7b9d6a3f5e
Merge pull request #3792 from TakayukiMatsuo/os_keylog
...
Add wolfSSL_CTX_set_keylog_callback
2021-07-07 15:34:33 +07:00
Hayden Roche
7422f07fb5
Improve wolfIO_HttpProcessResponse HTTP header checking logic.
...
Modify this function to just ensure that the response header starts with "HTTP
1.x 200" (where x is 0, 1, etc.).
2021-07-06 15:18:26 -07:00
Juliusz Sosinowicz
fc7533fe5e
Code review changes
2021-07-06 16:14:25 +02:00
Juliusz Sosinowicz
1acf906612
Code review changes
2021-07-06 15:39:23 +02:00
Juliusz Sosinowicz
6dfc702364
Correct serverDH_Pub length on renegotiation
...
On a renegotiation the serverDH_Pub buffer may be too short. The previous DhGenKeyPair call may have generated a key that has a shorter binary representation (usually by one byte). Calling DhGenKeyPair with this shorter buffer results in a WC_KEY_SIZE_E error.
2021-07-06 15:39:23 +02:00
Juliusz Sosinowicz
1b6b16c2c3
HaProxy 2.4-dev18 support
...
*This patch is dependent on https://github.com/wolfSSL/wolfssl/pull/3871 because proto version selection logic is refactored in that pull request.*
This patch contains the following changes:
- Enable more options with `--enable-haproxy`
- Compatibility layer additions
- `STACK_TYPE_X509_OBJ`
- `OCSP_id_cmp`
- `X509_STORE_get0_objects`
- `X509V3_EXT_nconf_nid`
- `X509V3_EXT_nconf`
- `X509_chain_up_ref`
- `X509_NAME_hash`
- `sk_X509_NAME_new_null`
- `X509_OBJECT_get0_X509`
- `X509_OBJECT_get0_X509_CRL`
- `ASN1_OCTET_STRING_free`
- `X509_LOOKUP_TYPE`
- `OSSL_HANDSHAKE_STATE`
- New `OPENSSL_COMPATIBLE_DEFAULTS` define will set default behaviour that is compatible with OpenSSL
- WOLFSSL_CTX
- Enable all compiled in protocols
- Allow anonymous ciphers
- Set message grouping
- Set verify to SSL_VERIFY_NONE
- In `SetSSL_CTX`, don't change `send` and `recv` callback if currently using `BIO`
- `ssl->peerVerifyRet`
- Return first that occured
- Set correct value on date error
- Set revoked error on OCSP or CRL error
- Save value in session and restore on resumption
- Add to session serialization
- With `OPENSSL_EXTRA`, send an alert on invalid downgrade attempt
- Handle sni callback `SSL_TLSEXT_ERR_NOACK`
- Add `WOLFSSL_VERIFY_DEFAULT` option for `wolfSSL_CTX_set_verify` and `wolfSSL_set_verify` to allow resetting to default behaviour
2021-07-06 15:39:23 +02:00
Jacob Barthelmeh
ae00b5acd0
some minor changes for unintialized and null infer reports
2021-07-06 14:13:45 +07:00
TakayukiMatsuo
5df0f7820a
Add wolfSSL_CTX_set_keylog_callback
2021-07-03 14:51:23 +09:00
David Garske
26789ef877
Fix variable declaration mid-code.
2021-07-02 13:24:25 -07:00
David Garske
2dd169f9a1
Added new sniffer API for callback for key use ssl_SetKeyCallback. Support indicated by WOLFSSL_SNIFFER_KEY_CALLBACK. Trace cleanup for custom error.
2021-07-02 12:18:56 -07:00
TakayukiMatsuo
567d8ed704
Make wolfSSL_set_session return success on timeout under WOLFSSL_ERROR_CODE_OPENSSL macro definition.
2021-07-02 10:50:00 +09:00
TakayukiMatsuo
aef9e560b1
Make wolfSSL_CTX_set_timeout call wolfSSL_CTX_set_TicketHint internally to change session-ticket-lifetime-hint.
2021-07-02 09:15:01 +09:00
Daniel Pouzzner
e9e41d3344
Merge pull request #4070 from elms/fsanitize/undefined_fixes
...
address errors with `-fsanitize=undefined`
2021-07-01 13:00:06 -05:00
JacobBarthelmeh
45486ac904
Merge pull request #4166 from miyazakh/supportedversion_ex_mindowngrade
...
not include smaller versions than minimum downgrade
2021-07-01 21:00:20 +07:00
Elms
75e807abc6
Fixes for gcc-10 and -fsanitize=undefined for rabbit.c
...
* One introduced in #4156
* One from previous commit in this PR
2021-06-30 22:20:17 -07:00
Sean Parkinson
6694775d4b
Changes to compile without XTREAM_ALIGN
...
Use macro to load 32 bits from input parameters key in hc128.c and input
in rabbit.c
Also fix warning about string copy.
2021-06-30 21:58:30 -07:00
Elms
56d879f422
address scan-build issues for clang 6 and 10
2021-06-30 21:58:30 -07:00
Elms
dc7beab784
address errors with -fsanitize=undefined
...
- fix null dereferences or undefined `memcpy` calls
- fix alignment in `myCryptoDevCb`
- fix default dtls context assignment
- add align configure option to force data alignment
TESTED:
`./configure CFLAGS=-fsanitize=undefined\ -DWOLFSSL_GENERAL_ALIGNMENT=1 --enable-all`
2021-06-30 21:58:30 -07:00
Sean Parkinson
f56bf3d8ee
TLS: Get DH anon working TLS 1.2 and below
...
Send the server DH parameters in ServerKeyExchange.
./configure '--enable-anon' '--disable-rsa' '--enable-oldtls'
2021-06-29 10:29:39 +10:00
David Garske
63ad5d58a2
Merge pull request #4162 from ejohnstown/abi-update
...
ABI Update
2021-06-25 08:36:07 -07:00
John Safranek
5437883da7
Merge pull request #4164 from dgarske/async_frag
...
Fix for async with fragmented packets
2021-06-25 08:33:50 -07:00
David Garske
74b9b5a8cd
Merge pull request #4156 from SparkiDev/regression_fixes_1
...
Regression test fixes
2021-06-25 07:48:02 -07:00
Hideki Miyazaki
d576e3ef96
not send smaller versions than minimum downgradable version as supportedversion ext
2021-06-25 14:51:34 +09:00
Sean Parkinson
dab6724059
Regression fixes: more configurations
...
./configure --disable-rsa --disable-ecc --disable-dh --enable-curve25519
&& make
./configure --disable-aescbc --disable-chacha --disable-poly1305
--disable-coding && make
2021-06-25 15:23:51 +10:00
Sean Parkinson
8592053856
Regression test fixes
...
./configure --enable-all --disable-rsa
./configure --disable-chacha --disable-asm
./configure --disable-rsa --disable-ecc --disable-dh --enable-curve25519
--enable-cryptonly (and ed25519, curve448, ed448)
./configure --disable-tls13 --enable-psk --disable-rsa --disable-ecc
--disable-dh C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK
./configure --disable-oldtls --enable-psk -disable-rsa --disable-dh
-disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK
--enable-lowresource --enable-singlethreaded --disable-asm
--disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224
--disable-sha384 --disable-sha512 --disable-sha --disable-md5
-disable-aescbc --disable-chacha --disable-poly1305 --disable-coding
Various build combinations with WOLFSSL_SP_MATH and WOLFSSL_SP_MATH_ALL
2021-06-25 09:18:06 +10:00
David Garske
45ef68d5c7
Fix for async with fragmented packets where inline crypto could be overwritten on reprocessing fragment. FIxes unit tests with --enable-all --enable-asynccrypt. Minor cleanup for line length and free verify RSA buffer sooner.
...
Reproducible with:
```
./examples/server/server -v 3 -l ECDHE-ECDSA-AES256-GCM-SHA384 -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem -2
./examples/client/client -v 3 -l ECDHE-ECDSA-AES256-GCM-SHA384 -A ./certs/ca-ecc-cert.pem -F 6 -2
```
2021-06-24 16:03:12 -07:00
John Safranek
66c29ef1ca
ABI Update
...
Add wolfSSL_CTX_set_verify to the ABI list.
2021-06-24 14:08:28 -07:00
Juliusz Sosinowicz
656e49cc3b
Expand SHA-3 support
...
Add more support in the EVP layer as well as add signing support. The SHA-3 OID's were also added for DER algorithm identifier encoding.
2021-06-24 19:31:43 +02:00
David Garske
c59d1f2e8d
Merge pull request #4155 from SparkiDev/ssl_reorg_3
...
Reorg of ssl.c: standard C wrappers, EX_DATA, BUF_MEM, TXT_DB
2021-06-24 09:53:53 -07:00
David Garske
97ab1bb013
Merge pull request #4154 from SparkiDev/hmac_update_ct
...
TLS hmac: handle truncated mac in Hmac_UpdateFinal_CT()
2021-06-24 09:28:22 -07:00
John Safranek
ae2f2b246e
Merge pull request #4148 from BrianAker/master
...
Fix for make distcheck, maintainer-clean, to allow distribution builds.
2021-06-23 10:33:06 -07:00
Juliusz Sosinowicz
4eff3ff3dd
Add a reason text for APP_DATA_READY
2021-06-23 13:43:56 +02:00
Sean Parkinson
945acb4c2f
Reorg of ssl.c: standard C wrappers, EX_DATA, BUF_MEM, TXT_DB
2021-06-23 11:28:38 +10:00
Sean Parkinson
2923d812bd
Merge pull request #4058 from miyazakh/qt_oslext_cs
...
TLS: extend set_cipher_list() compatibility layer API
2021-06-23 10:12:11 +10:00